Versions Compared

Old Version 6

changes.mady.by.user Paul Ruvin

Saved on

compared with

New Version Current

changes.mady.by.user Paul Ruvin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OAuth 2.0 is a popular authorisation protocol that allows users to grant third-party applications access to their resources without revealing their usernames or passwords. It's a standard for secure access to APIs and is widely used for online authorisationshared online resources.

How does it work?

OAuth 2.0 has four main flows or grant types.   DualShield Authorisation server uses the Client Credential Grant Type and is typically used when the API endpoint is sitting on a reverse proxy Service.

There are a few key components:

Panel
borderColor#9EBEE5
bgColor#f0f0f0
borderWidth1px

Client Application: This is the application that sends a request wants to access a protected resource

Resource Owner: The user who authorises an application to access their account and grants access

Resource Server: This hosts the protected resource.  In our case this will be DualShield Frontend agents such as SSO, the Self-Service Consoles, Windows Logon Agent, DualRadius Server.

Authorisation Server: The server that authenticates the user Client and issues access tokens (e.g . DualShield Authentication server)

Resource Server: The API or service the client wants to access, using the access token (also DualShield Authentication Server)

The Client Application requests access to a resource.  A Resource Owner gives permission in the form of an authorisation grant which is sent back to the client.

The client then sends the grant to the Authorisation Server.   In return, the server sends an Access Token to the Client. 

The token can then be used on the Resource Server to access the protected resource.

Please give a real life scenario example...

You wish log on to  ChatGPT and you are give the option of either signing in with an account you have already created; sign up for a new account; or continue with Googlel, Microsoft or Apple accounts.

Image Removed

You decide that you want to Continue with Google. You then click 'Continue with Google'.  You will be redirected to Google's sign in page.

You sign in with Google after which you have access to your ChatGPT profile.

Access Token: A credential issued by the authorisation server that the client uses to access protected resources. Typically a JWT (JSON Web Token) consisting of an authorisation bearer header.

Proxy Server: Acting as an intermediary between a client and another server


The client application (DS Frontend agent)requests an access token.  To receive this token,  the client posts an API call to the authorisation server (DualShield Backend). This API call will include values of the Client ID and Client Secret. 

Once the authorisation server has validated this request, it will send an access token back to the client. 

The Client now sends an API call (request) to the Proxy gateway.  The API call will contain the Access token with the bearer header.

The Proxy server validates the access token and forwards the request to the Resource Server (In this case, DualShield backend is also the resource server)

The Resource server responds with the requested resource.

Image Added

Children Display
Therefore in this scenario ChatGPT is the client application.  The Authorisation Server Google.